When does the Puppy linux security model make sense?

I have just spent a few hours playing with Puppy linux, which has some very nice features, but there are some things about its approach to security (at least the default settings) that worry me: 1. It seems that the intended way to use it is to run everything as root 1. There is no password for root (by default-- of course I could add one) 1. There is no automated (or even a simple non-automated) way of getting security updates for packages, as far as I can tell. (I might have missed something.) I have always had drummed into my head the importance of having a complex password, of not browsing the internet as an admin/root user, and of keeping system software (and browser, and plugins) up to date with patches for the latest vulnerabilities. However, despite what looks to me like a recipe for disaster (outlined above), Puppy is popular enough to have a lot of spin-offs, so there must be scenarios in which the apparent lack of security is a non-issue. What are they?